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[57] ABSTRACT 

A technique for use in a public key exchange crypto- 
graphic system, in which two user devices establish a 
common session key by exchanging information over an 
insecure communication channel, and in which each 
user can authenticate the identity of the other, without 
the need for a key distribution center. Each device has 
a previously stored unique random number Xi, and a 
previously stored composite quantity that is formed by 
transforming Xi to Yi using a transformation of which 
the inverse in computationally infeasible; then concate- 
nating Yi with a publicly known device identifier, and 
digitally signing the quantity. Before a communication 
session is established, two user devices exchange their 
signed composite quantities, transform them to un- 
signed form, and authenticate the identity of the other 
user. Then each device generates the same session key 
by transforming the received Y value with its own X 
value. For further security, each device also generates 
another random number X'i, which is transformed to a 
corresponding number Y'i. These Y'i values are also 
exchanged, and the session key is generated in each 
device, using a transformation that involves the device's 
own Xi and X'i number and the Yi and Y'i numbers 
received from the other device. 

16 Claims, 3 Drawing Sheets 
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method. Once the keys are known to the parties, the 

CRYPTOGRAPHIC METHOD AND A PPAR ATUS exchange of messages can proceed through the crypto- 

FOR PUBLIC KEY EXCHANGE WITH graphic system. 

AUTHENTICATION Aji asymmetric cryptosystem is one in which the 

5 enciphering and deciphering keys differ in such a way 

BACKGROUND OF THE INVENTION that at least one key is computationally infeasible to 

This invention relates generally to cryptographic determine from the other. Thus, one of the transfonna- 

systems and, more particularly, to cryptographic sys- tions E* or D* can be revealed without endangering the 

terns in which an exchange of information on an unse- other. 

cured communications channel is used to establish a 10 In 1976, the concept of a "public key" encryption 
common cipher key for encryption and decryption of system was introduced by W. DifFie and M. Hellman, 
subsequently transmitted messages. Cryptographic sys- "New Directions in Cryptography," IEEE Trans, on 
terns are used in a variety of applications requiring the Info. Theory, Vol. IT-22(6), pp. 644-654 (Nov. 1976). 
secure transmission of information from one point to In a public key system, each user has a public key and 
another in a communications network. Secure trans mis- 15 private key, and two users can communicate knowing 
sion may be needed between computers, telephones, only each other's public keys. This permits the estab- 
facsimile machines, or other devices. The principal goal lishment of a secured communication channel between 
of encryption is the same in each case; to render the two users without having to exchange "secret" keys 
communicated data secure from unauthorized eaves- before the communication can begin. As pointed out in 
dropping. 20 the previously cited text by Denning, a public key sys- 
By way of definition, "plaintext" is used to refer to a tem can be operated to provide secrecy by using a pri- 
message before processing by a cryptographic system. vate j^y f or decryption; authenticity by using a private 
"Ciphertext" is the form that the message takes during ^ey f or encryption; or both, by using two sets of en- 
transmission over a communications channel. "Encryp- cryptions and decryptions. 

tion" or "enciphennent" is the process of transfonna- 25 In gcnera i ( asymmetric cryptographic systems re- 

tion from plaintext to ciphertext. "Decryption" or "de- quire more comput ational "energy" for encryption and 

cipherment" is the process of transformation from ci- decryption than symmetric systems. Therefore, a com- 

phertext to plaintext. Both encryption and decryption mQn deve i 0 pment has been a hybrid system in which an 

arc controlled by a "cipher key" or keys. Without asymmetric system, such as a public key system, is first 

knowledge of the encryption key, a message cannot be 30 ^ ^ ft ^ ^ ^ 

encrypted, even with knowledge of the encrypting ies ^ to communicate . Then this common 

process. Similarly, without knowledge of the decryp- ^ m fl conventional svmme tric crypto- 

tion key, the message cannot be decrypted, even with ^ t<> m ^ from Qnc ^ to 

knowledge of the decryptmg prc^ess Se other. Diffie and Hellman have proposed such a 

tho M u°gn^ 

..uiJE I a~r-~* u,fo« ^™h^,f oi^tKm p? that io cured commumcations channel. However, as will be 

the Dim^Hellman public key system is sub- 

distinguishes E* from other operations using the algo J«* *> ac tl ve eavesdropping. That is to say, it provides 

rithm E. The transformation E* encrypts a plaintext 40 J» foolproof authentication of its messages. With 

message M into an encrypted message, or ciphertext C knowledge of the public keys, an eavesdropper can 

Similarly, the decryption is performed by a transfonna- decrypt received ciphertext, and then re-encrypt the 

tion D k defined by a decryption algorithm D and a key resulting plaintext for transmission to the intended re- 

£ ceiver, who has no way of knowing that the message 

Dorothy E. R. Denning, in "Cryptography and Data 45 been intercepted. The present invention relates to a 

Security," Addison-Wesley Publishing Co. 1983, sug- significant improvement in techniques for public key 

gests that, for complete secrecy of the transmitted that exchange or public key management, 

it should be computationally infeasible for anyone to One possible solution to the authentication problem 

systematically determine the deciphering transfonna- in public key management, is to establish a key distnbu- 

tion D fc from intercepted ciphertext C, even if the corre- 50 tion center, which issues secret keys to authonzed users, 

spending plaintext M is known. The second is that it The center provides the basis for identity authentication 

should be computationally infeasible to systematically of transmitted messages. In one typical technique, a user 

determine plaintext M from intercepted ciphertext C. wishing to transmit to another user sends his and the 

Another goal of cryptography systems is that of data other user's identities to the center; e.g. (A,B). The 

authenticity. This requires that someone should not be 53 center sends to A the ciphertext message E^(B,K,T,C), 

able to substitute false ciphertext C for ciphertext C where E A is the enciphering transformation derived 

without detection. from A's private key, K is the session key, T is the 

By way of further background, cryptographic sys- current date and time, and C=Ea(A,K,T), where E^is 

terns may be classified as either "symmetric" or "asym- the enciphering transformation derived from B's private 
metric" In symmetric systems, the enciphering and 60 key. Then A sends to B the message C. Thus A can send 

deciphering keys are either the same easily determined to B the session key K encrypted with B's private key; 

from each other. When two parties wish to communi- yet A has no knowledge of B's private key. Moreover, 

cate through a symmetric cryptographic system, they B can verify that the message truly came from A, and 

must first agree on a key, and the key must be trans- both parties have the time code for further message 

ferred from one party to the other by some secure 65 identity authentication. The difficulty, of course, is that 

means. This usually requires that keys be agreed upon in a central facility must be established as a repository of 

advance, perhaps to be changed on an agreed timetable, private keys, and it must be administered by some entity 

and transmitted by courier or some other secured that is trusted by all users. This difficulty is almost im- 
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possible to overcome in some applications, and there is, sage encrypted with the session key that has been estab- 

therefore, a significant need for an alternative approach lished. 

to public key management The present invention ful- One way of defining the invention is in terms of a 

fills this need. session key generator, comprising storage means for 

Although the present invention has general applica- 5 storing a number of a first type selected prior to placing 
tion in many areas of communication employing public the key generator in service, and a digitally signed corn- 
key management and exchange, the invention was first posite quantity containing both a unique and publicly 
developed to satisfy a specific need in communication known identifier of the session key generator and a 
by facsimile (FAX) machines. As is now well known, number of a second type obtained by a practically irre- 
FAX machines transmit and receive graphic images 10 versible transformation of the number of the first type, 
over ordinary telephone networks, by first reducing the The session key generator has a first input connected to 
images to digital codes, which are then transmitted, receive the number of the first type, and a second input 
after appropriate modulation, over the telephone lines, connected to receive an input quantity transmitted over 
FAX machines are being used at a rapidly increasing an insecure communications channel from another ses- 
rate for the transmission of business information, much 15 sion key generator, the input quantity being digitally 
of which is of a confidential nature, over lines that are signed and containing both a publicly known identifier 
unsecured. There is a substantial risk of loss of the confi- of the other session key generator and a number of the 
dentiality of this imformation, either by deliberate second type generated by a practically irreversible 
eavesdropping, or by accidental transmission to an in- transformation of a number of the first type stored in the 
correctly dialed telephone number 20 other session key generator. The session key generator 

Ideally, what is needed is an encrypting/decrypting also has a first output for transmitting the stored, digi- 
box co nnec table between the FAX machine and the tally signed composite quantity over the insecure corn- 
telephone line, such that secured communications can munications channel to the other session key generator, 
take place between two similarly equipped users, with a second output, means for decoding the signed input 
complete secrecy of data, and identity authentication 25 quantity received at the second input, to obtain the 
between the users. For most users, a prior exchange of identifier of the other session key generator and the 
secret keys would be so inconvenient that they could received number of the second type, and means for 
just as well exchange the message itself by the same generating a session key at the second output, by per- 
secret technique. A public key exchange system is by far forming a practically irreversible transformation of the 
the most convenient solution but each available varia- 30 number of the second type received through the second 
tion of these systems has its own problems, as discussed input, using the number of the first type received 
above. The Diffle-Hellman approach lacks the means to through the first input. 

properly authenticate a message, and although a key For further security of the session key, the session key 

distribution center would solve this problem, as a prac- generator further includes a third input, connected to 

tical matter no such center exists for FAX machine 35 receive another number of the first type, generated 

users, and none is likely to be established in the near randomly, and means for generating at the first output, 

future. Accordingly, one aspect of the present invention for transmission with the digitally signed composite 

is a key management technique that is directly applica- quantity, a number of the second type obtained by a 

ble to data transmission using FAX machines. practically irreversible transformation of the number of 

SUMMARY OF THE INVENTION « 

The present invention resides in a public key crypto- from the second input another number of the second 

graphic system that accomplishes both secrecy and type generated in and transmitted from the other session 

identity authentication, without the need for a key dis- key generator. The means for generating a session key 

tribution center or other public facility, and without the 45 performs a practically irreversible transformation in- 
need for double encryption and double decryption of volving both numbers of the first type, received at the 

messages. Basically, the invention achieves these goals first and third inputs, and both numbers of the second 

by using a digitally signed composite quantity that is type received at the second input, whereby a different 

pre-stored in each user communication device. In con- session key may be generated for each message trans- 

trast with the conventional Diffie-Hellman technique, 50 mission session. 

in which random numbers Xi are selected for each com- More specifically, the number of the second type 

munication session, the present invention requires that a stored in digitally signed form in the storage means is 

unique number Xi be preselected and pre-stored in each obtained by the transformation Ya=a* fl mod p, where 

device that is manufactured. Also stored in the device is Xa is the number of the first type stored in the storage 

the signed composite of a Yi value and a publicly 55 means, and a and p are publicly known transformation 

known device identifier. The Yi value is obtained by a parameters. The number of the second type received in 

transformation from the Xi value, using a transforma- the digitally signed composite quantity from the other 

tion that is practically irreversible. session key generator is designated Yb, and the means 

. Before secure communications are established, two for generating the session key performs the transforma- 

devices exchange these digitally signed quantities, 60 tion K=Yb* fl mod p. 

which may then be easily transformed into unsigned When additional numbers X'a and X'b are also gener- 

form. The resulting identifier information is used to ated prior to transmission, the means for generating the 

authenticate the other user's identity, and the resulting session key performs the transformation 

Yi value from the other device is used in a transforma- K=(Y'b)^ 0 m6d p ©(Yb^mod p, where X'a is the 

tion with Xi to establish a session key. Thus the session 65 number of the first type that is randomly generated, Y'b 

key is established without fear of passive or active is the additional number of the second type received 

eavesdropping, and each user is assured of the other's from the other session key generator, and the 5 symbol 

identity before proceeding with the transfer of a mes- means an exclusive OR operation. 
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In terms of a novel method, the invention comprises double transformation at each end of the communica- 

the steps of transmitting from each device a digitally tions channel, or the use of key distribution center, 

signed composite quantity to the other device, the com- U.S. Pat, No. 4,200,770 to Hellman et al. discloses a 

posite quantity including a publicly known device iden- cryptographic apparatus and method in which two 

tifier IDa and a number Ya derived by a practically 5 parties can converse by first both generating the same 

irreversible transformation of a secret number Xa that it session key as a result of an exchange of messages over 

is unique to the device, receiving a similarly structured an insecure channel. Since the technique disclosed in 

digitally signed composite quantity from the other de- the Hellman et al. '770 patent attempts to provide both 

vice, and transforming the received digitally signed secrecy and authentication in a public key crypto- 

composite quantity into an unsigned composite quantity 10 graphic system, the principles of their technique will be 

containing a device identifier IDb of the other device summarized here. This should provide a better basis for 

and a number Yb that was derived by transformation an understanding of the present invention, 

from a secret number Xb that is unique to the other In accordance with the Hellman et al. technique, two 

device. Then the method performs the steps of verify- numbers a and p are selected for use by all users of the 

ing the identity of the other device from the device system, and may be made public. For increased secu- 

identifier IDb, and generating a session key by perform- rity, p is a large prime number, and a has a predefined 

ing a practically irreversible transformation involving mathematical relationship to p, but these restrictions are 

the numbers Xa and Yb. not important for purposes of this explanation. Before 

Ideally, the method also includes the steps of generat- starting communication, two users, A and B, indicated 

ing another number X'a randomly prior to generation of ™ ^ FIG. 1 at 10 and tt perform an exchange of messages 

a session key, transforming the number X'a to a number that results in their both computing the same cipher key, 

Y'a using a practically irreversible transformation, or session key K, to be used in transmitting data back 

transmitting the number Y'a to the other device, and «"i f Qrth between them. The first step in establishing 

receiving a number Y'b from the other device. In this the session key is that each user generates a secret num- 

case, the step of generating a session key includes a « ber in a random number generator 14, 16. The numbers 

practically irreversible transformation involving the are designated Xa, Xb, respectively, and are selected 

numbers Xa, X'a, Yb and Y'b. from a 861 of positive integers up to p-1. Each user also 

In particular, the transformations from X numbers to has a session key generator 18, 20, one function of 

Y numbers is of the type Y-a* mod p, where a and p which is to generate other numbers Y from the numbers 

are chosen to maximize irreversibility of the transforma- 30 X, a and p, using the transformations: 

tions, and the step of generating a session key includes - 

the transformation Ya=a ^ p * 

K=(Tb^mod p 8 (Yb^amod p. Yb^mod p. 

where 6 denotes an exclusive OR operation. 35 _ - ... , 
t* n u • , , r . u . c ;1 *w„* The values Ya, Yb are then processed through a con- 
It will be appreciated from this brief summary that . , . , • <** a u ~a 

*i_ * • *: . . ventional transmitter/receiver 22, 24, and exchanged 

the present invention represents a significant advance m . . . ' ' . „ & 

c u r *. u t i * u : *; over an insecure communications channel 26. 

the field of cryptography. In P^ular, the invention 

provides for both secrecy and identity authenticity aMaMta Transforming an expr* ion to modulo p 

when exchanging transmissions with another user to 40 * ...... Jl- , . rot •„ 

„ ... . . , „ rwi.. i nA can be made by dividing the expression by p and retain- 

establish a common session key. Other aspects and ad- remainder For example, 34 mod 17=0, 35 

vantages of the mvention will become apparent from S * J ' expression for 

the following more detailed description, taken in con- ; 0 computing theexponential 

junction with the accompanying drawings. by p ^ retain . 

BRIEF DESCRIPTION OF THE DRAWINGS ing only the remainder. 

« • li i j- * , _ If a and p are appropriately chosen, it is computation- 

FIG. 1 is a block diagram showing a public key cryp- ** _ -Li * ♦ v r ~ v -ru— K, * 

. f ,, 6 . A ^ ; r ally mfeasible to compute Xa from Ya. That is to say, 

tographic system of the prior art; . ' ^ r _r • t_ * . • c 

FIG. 2 is a block diagram similar to FIG. 1. and ^ cost of performing such a task in terns of memory 

showing how active eavesdropping may be used to 50 ot computing time needed, is large enough to deter 

ttack the svstem- eavesdroppers. In any event, new X and Y values can be 

■> . uii-i, a: „<• „ M ,ui;« l,-., chosen for each message, which is short enough to 

FIG. 3 is a block diagram of a public key crypto- e ^ * f x value bei com ^ uted 

graphic system in accordance with the present inven- ^ a correSonding Y value. 

ti0 FTG.4isablock diagram of a secure facsimile system 55 After """""Jf °J. th * vdu ? V* ^ e " h 

Jb^ymgthe^esenfm^entiomand ™ m ? Me * . a . sess « on k % K m lts *** S™«*or 18, 

FIG 5 is a block diagram showing more detail of the 20 - * oth « user 5 J v ? ue to , * e P«? wcr 

cryptographic processorof FIG. 4 represented by the user's own X value, all modulo p. 

jr r r p or ^ ^ tne computation is: 
DESCRIPTION OF THE PREFERRED ^ 

EMBODIMENT K=Yb^mod P . 

As shown in the accompanying drawings for pur- Substituting for Yb, 

poses of illustration, the present invention is concerned K=(a^ a mod p=a*°**mod p, 
with a public key cryptographic system. As discussed at 

length in the preceding background section of this spec- 65 for user B, the computation is: 
ification, public key systems have, prior to this inven- 
tion, been unable to provide both secrecy and identity K=Ya**mod p. 
authentication of a message without either a costly 
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Substituting for Ya, (Ya,IDa)" contains the value Ya and another value IDa 

K«<a °pmod p-a^mod p. uniquely identifying the A device, all coded as a "signa- 

The two users A, B now have the same session key K, ^ Mnfirmi ng that the number originated from the 

which is input to a conventional cryptographic device aam a aKm and from no-one else. User B's device 12 

28, 30. A transmitting cryptographic device, e.g. 28, 5 has stored in its storage area 42 the values Xb and signed 

transforms a plaintext message M into ciphertext C for YD^\ 

transmission on the communications channel 26, and a tw* a ™a n « ( u a Q ^ rv n I^l 0 ^ ™a 

receiving cryptographic device 30 makes the inverse . Ul ^ JSj * ? g , , ^ ^ ^ ? 

transformation back to the plaintext M. "f^ 2™? } vMu ,f ^ each session key generator 

The HeUman et al. 770 patent points out that the 10 * 20 f hen ^P 5 ?* f* 1 ^ values and verifies 
generation of a session key is secure from eavesdrop- that !< 15 conversing with the correct user device. The 
ping, because the information exchanged on the inse- identifiers IDa and IDb are known publicly, so user 
cure channel includes only the Y values, from which ^ wxct A v ^?L* at number mb ls c?n«™fd in 
the corresponding X values cannot be easily computed. ^ s^ed (Yb.IDb) number that was received. Like- 
However, this form of key exchange system still has 15 wise ' ™« device B verifies that value ^S 11 ^ 
two significant problems. One is that the system is vul- (YaJDa) contains the known value IDa. By performing 
nerable to attack from active eavesdropping, rather toe process of "unsigning" the received messages, the 
than the passive eavesdropping described in the patent ]1S&T devices also confirm that the signed data originated 
The other is that identity authentication can be pro- frorn the manufacturer and not from some other entity, 
vided only by means of a public key directory. 2 n Since tne Xa, Xb values are secret values, and it is 

Active eavesdropping takes place when an unautho* infeasible to obtain them from the transmitted signed 
rized person places a substitute message on the commu- (YaJDa) and signed (Yb.IDb) values, the users may 
nications channel. FIG. 2 depicts an example of active both compute identical session keys in a manner similar 
eavesdropping using the same components as FIG. 1. to that disclosed in the HeUman et al. 777 patent. If an 
The active eavesdropper E has broken the continuity of 25 eavesdropper E were to attempt to substitute fake mes- 
the unsecured line 26, and is receiving messages from A sages for the exchanged ones, he would be unable to 
and relaying them to B, while sending appropriate re- satisfy the authentication requirements. E could inter- 
sponses to A as well. In effect, E is pretending to be B t C ept a signed (Ya.IDa) transmission, could unsign the 
with device Eb, and is also pretending to be A, with message and obtain the values Ya and IDa. E could 
device Ea. E has two cryptographic devices 34a, 346, 3Q similarly obtain the values Yb and IDb. However, in 
two session key generators 3<Sa, 36b t and two number order for E and A to use the same session key, E would 
generators 38a, 386. When device Eb receives Ya from have to generate a value Xe, compute Ye and concate- 
A, it generates Xb' from number generator 386, com- nate j t ^th IDb, which is known, and then digitally 
putes Yb' from Xb' and transmits Yb' to A. Device Eb »^ the composite number in the same manner as the 
and user A compute the same session key and can begin manufacturer. As will be explained, digital signing in- 
cornmumcation of data. Similarly, device Ea and user B yoJves a transformatioil that * very ea sy to effect in one 
exchange Y numbers and both generate a session key, directioni ^ u^ing direction, but is computation- 
ifferent from the one used by A and Eb. Eavesdropper ^ M^ible in the other, the signing direction. There- 
in is able to decrypt the cmhertext C into plaintext M, f eavesdropper E would be unable to establish a 
then encipher agam for transmission to B A and B are common k whh dther A Qf B becaus£ he 
«h£r" ™ commumcatmg directly with WQuld be tQ genefate mes$ages ^ WQuld ^ 

^In a°cco e rdance with the present invention, each user is isfy A th f * Ut ^f°? requirements. 

provided with proof of identity of the party with whom As described thus far, the technique of the invention 

he is conversing, and both active and passive eaves- "^bushes a session key that is derived from X and Y 

dropping are rendered practically impossible. FIG. 3 45 stored in the devices at the .time of manufacture 

shows the key management approach of the present Id ^ llv ' a ne f w sessl0n key should be established for each 

invention, using the same reference numerals as FIGS. exchange of message traffic. An additional unsecured 

1 and 2, except that the session key generators are re- exchange is needed to accomplish this. 

ferred to in FIG. 3 as 18' and 20', to indicate that the key The number generator 14 in the A device 10 gener- 

generation function is different in the present invention. 50 f tes a random number X'a and the number generator 16 

The user devices also include a number storage area 40, m tne B device 12 generates a random number X'b. 

42. Storage area 40 contains a preselected number Xa, These are supplied to the session key generators 18, 20, 

stored at the time of manufacture of the A device, and respectively, which generate values Y'a and Y'b in 

another number referred to as "signed Ya," also stored accordance with the transformations: 

at the time of manufacture. Xa was chosen at random, 55 

and is unique to the device. Ya was computed from Xa Y'a=a r °mod p, 

using the transformation „. , 

V%=a Xb mod p. 

Ya^a^mod p. 

50 These values are also exchanged between the A and B 

Then the Ya value was concatenated with a number devices, at the same time that the values of signed 

IDa uniquely identifying the user A device, such as a (YaJDa) and signed (Yb.IDb) are exchanged. After the 

manufacturer's serial number, and then encoded in such authenticity of the message has been confirmed, as de- 

a way that it was digitally "signed" by the manufacturer scribed above, the session key generators perform the 

for purposes of authenticity. The techniques for digi- 65 following transformations to derive a session key. At 

tally signing data are known in the cryptography art, the A device, the session key is computed as 

and some will be discussed below. For the present, one Ka=(Y'b)* fl mod p ©(Yb^mod p, 
need only consider that the number designated "signed 
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and at the B device, the session key is computed as 
kb=(Y'a)**mod p ©<Ya)™mod p, 

*'©*• means an exclusive OR operation. 

Thus the session key is computed at each device using 
one fixed number, Le. fixed at manufacturing time, and 
one variable number, i.e. chosen at session time. The 
numbers are exclusive ORed together on a bit-by-bit 
basis. It can be shown that Ka=Kb by substituting for 
the Y values. Thus: 

Ka = (a r6 )* c mod p 0 (a^Vmed p 
- (a<*V*mod pQia* O^mod p 

= (r<j)*ADod p e (ra^od p 

= (rayXtmod p Q (Ya} x ' b mo<i p 
« Kb. 

This common session key satisfies secrecy and au- 
thentication requirements, and does not require double 
encryption-decryption or the use of a public key direc- 
tory or key distribution center. The only requirement is 
that of a manufacturer who will undertake to supply 
devices that have unique device ID*s and selected X 
values encoded into them. For a large corporation or 
other organization, this obligation could be assumed by 
the organization itself rather than the manufacturer. For 
example, a corporation might purchase a large number 
of communications devices and complete the manufac- 
turing process by installing unique ID's, X values, and 
signed Y values in the units before distributing them to 
the users. This would relieve the manufacturer from the 
obligation. 

The process described above uses parameters that 
must meet certain numerical restrictions. The length 
restrictions are to ensure sufficient security, and the 
other requirements are to ensure that each transforma- 
tion using modulo arithmetic produces a unique trans- 
formed counterpart. First, the modulus p must be a 
strong prime number 512 bits long. A strong prime 
number is a prime number p that meets the additional 
requirement that (p-l)/2 has at least one large prime 
factor or is preferably itself a prime number. The base 
number must be a 512-bit random number that satisfies 
the relationships: 

aCp-lJ/^mod p— p-I, and l<a<p*l. 

Finally, the values X and X' are chosen as 512-bit ran- 
dom numbers such that 

i<x, x'<p-i- 

As indicated above, the process of authentication in 
the invention depends on the ability of the manufac- 
turer, or the owner of multiple devices, to supply a 
signed Y value with each device that is distributed. A 
digital signature is a property of a message that is pri- 
vate to its originator. Basically, the signing process is 
effected by a transformation that is extremely difficult 
to perform, but the inverse transformation, the "unsign- 
ing," can be performed easily by every user. The pres- 
ent invention is not limited to the use of a particular 
digital signature technique. 

One approach is to use an RSA public key signature 
technique. The RSA technique takes its name from the 
initial letters of its originators, Rivest, Shamir and Adle- 
man, and is one of a class of encryption schemes known 
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as exponentiation ciphers. An exponentiation cipher 
makes the transformation C=P* mod n, where e and n 
constitute the enciphering key. The inverse transforma- 
tion is accomplished by P=0 / mod n. With appropriate 

5 selection of n, d and e, the values of n and d can be made 
public without giving away the exponent e used in the 
encryption transformation. Therefore, a digital signa- 
ture can be applied to data by performing the exponenti- 
ation transformation with a secret exponent e, and pro- 

10 viding a public decryption exponent d, which, of 
course, will be effective to decrpyt only properly 
"signed" messages. 

In the preferred embodiment of the present invention, 
another approach is used for digital signature, namely a 

15 modular square-root transformation. In the expression 
x=m 2 mod n, the number m is said to be the square root 
of x mod n, or the modular square root of x. If n is 
appropriately selected, the transformation is very diffi- 
cult to perform in one direction. That is to say, it is very 
difficult to compute m from x, although easy to com- 
pute x from m. If the modulus n is selected to be the 
product of two large prime numbers, the inverse or 
square-root transformation can only be made if the 
factors of the modulus are known. Therefore, the modu- 
lus n is chosen as the product of two prime numbers, 
and the product is 1,024 bits long. Further, the factors 
must be different in length by a few bits. In the devices 
using the present invention, the value "signed 

3Q (Ya,IDa)" is computed by first assembling or concate- 
nating the codes to be signed. These are: 

1. A numerical code IDa uniquely identifying the A 
device. In the present embodiment of the inven- 
tion, this is a ten-digit (decimal) number encoded in 

35 ASCII format, but it could be in any desired for- 
mat. 

2. A number of ASCII numerical codes indicating a 
version number of the device. This may be used for 
device testing or analyzing problems relating to 

43 device incompatability. 

3. The value Ya computed from the chosen value of 
Xa, encoded in binary form. 

4. A random value added to the least-significant end 
of the composite message, and used to ensure that 

45 the composite message is a perfect modular square. 
The last element of the message is needed because of 
inherent properties of the modular squaring process. If 
one were to list all possible values of a modular square 
x, from 1 to n-1, and all corresponding values of the 

50 modular square root m, some of the values of x would 
have multiple possible values of m, but others of the 
values of x would have no corresponding values of m. 
The value added to the end of the message ensures that 
the number for which a modular square root is to be 

55 computed, is one that actually has a modular square 
root. A simple example should help make this clear. 

Suppose the modulus n is 7849. It can be verified by 
calculator that a value x of 98 has four possible values of 
m in the range 1 to n-1: 7424, 1412, 6437 and 425, such 

60 that m 2 mod 7849=98. However, the X value 99 has no 
possible modular square root values m. If the composite 
message to be signed had a numerical value of 99, it 
would be necessary to add to it a value such as making 
a new x value of 100, which has four possible square 

65 root values in the range I to n-1, namely 1326, 7839, 10 
and 6523. In most instances, it does not matter which of 
these is picked by the modular square root process em- 
ployed, since the squaring or "unsigning" process will 
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always yield the composite message value 100 again. As shown in FIG. 5, the cryptographic processor 60 
However, there are a few values of m that should be includes a conventional microprocessor 62 having a 
avoided for maximum security. If the x value is a perfect data bus 64 and a data bus 66, to which various other 
square in ordinary arithmetic (such as the number 100 in modules are connected. The microprocessor 62 may be, 
the example), two values of m that should be avoided 5 for example, a National Semiconductor Company de- 
are the square root of x by ordinary arithmetic (the vice specified by part number NSC800. The connected 
number 10 in the example), and the number that is the modules include a random access memory (RAM) 68, a 
difference between the modulus n and the ordinary- read-only memory (ROM) 70, which serves as a storage 
arithmetic square root of x (i.e. 7839 in the example). If area for the X value and the signed Y value, an integrat- 
a number fitting this definition is used as a signed mes- 10 ed-circuit chip 72 for implementation of the Data En- 
sage, the signature is subject to being "forged" without cryption Standard (DES), a modular arithmetic device 
knowledge of the factors of n. Therefore, such numbers 74 such as the CYLINK CY 1024, and an interface mod- 
are avoided in assigning signatures, and each device can ule 76 in the form of a dual-port RAM, for connection 
be easily designed to abort an exchange when the signed to the communications processor 58. 
message takes the form of one of these avoided num- 15 For transparent operation of the device shown in 
bers. FIGS. 4 and 5, a user supplies not only the telephone 

When the modular square root process is used for number of a destination FAX machine, but also the ID 
digitally signing the composite data stored in each de- of the intended destination FAX encoding/decoding 
vice, the '*unsigning" process upon receipt of a signed device. When the digitally signed Y values are ex- 
composite message is simply the squaring of the mes- 20 changed, the sending user device automatically "un- 
sage, modulo n. The value n is not made public, al- signs** the transmission by performing a modular squar- 
though it could be determined by close examination of ing function; then compares the intended destination ID 
one of the devices. Even with knowledge of the modu- with the user ID returned with the Y value, and aborts 
lus n, however, the computation of the modular square the session if there is not a match. The key management 
root is computationally infeasible without knowledge of 25 steps previously described proceed automatically under 
the factorization of n. control of the cryptographic processor 60, and when a 

With a knowledge of the factorization of the modulus session key has been derived, this is automatically ap- 
n, the computation of the modular square root becomes plied in a conventional cryptographic process, such as 
a feasible, although laborious task, which may be per- the DES, to encrypt and decrypt a facsimile transmis- 
formed by any known computational method. It will be 30 sion. 

recalled that this process is performed prior to distribu- It will be appreciated from the foregoing that the 
tion of the devices embodying the invention, so compu- present invention represents a significant advance in 
tation time is not a critical factor. cryptographic systems. In particular, the invention pro- 

It will be understood that the cryptographic tech- vides a technique for establishing a common session key 
nique of the invention may be implemented in any form 35 for two users by means of an exchange of messages over 
that is convenient for a particular application. Modular an insecure communications channel. What distin- 
arithmetic is now well understood by those working in guishes the invention from prior approaches to public 
the field, and may be implemented in hardware form in key exchange systems is that the technique of the inven- 
the manner described in the '777 Hellman et al. patent. tion provides for identity authentication of the users 
More conveniently, off-the-shelf modular arithmetic 40 without the need for a key distribution center or a pub- 
devices are available for connection to conventional lie key register. Further, the technique is resistant to 
microprocessor hardware. For example, part number both passive and active eavesdropping. It will also be 
CY1024 manufactured by CYLINK, of Sunnyvale, appreciated that, although an embodiment of the in ven- 
Calif. 94087, performs modular addition, multiplication tion has been described in detail for purposes of illustra- 
and exponentiation. 45 tion, various modifications may be made without de- 

For application to facsimile communications, the parting from the spirit and scope of the invention. Ac- 
technique of the invention may be made completely cordingly, the invention is not to be limited except as by 
"transparent" to the user. FIG. 4 shows the architecture the appended claims, 
of a device for connection between a conventional I claim: 

FAX machine 50 and a telephone line 52. The device 50 1. A secure key generator, comprising: 

includes a first conventional modem 54 (modulator/- storage means for storing a number of a first type 

demodulator) for connection to the FAX machine 50 selected prior to placing the key generator in ser- 

and a second modem 56 for connection to the telephone vice, and a digitally signed composite quantity 

line 52. The modems 54, 56 function to demodulate all containing both a unique and publicly known iden- 

messages entering the device from either the FAX ma- 55 tifier of the key generator and a number of a second 

chine or the telephone line, and to modulate messages type obtained by a practically irreversible transfor- 

for transmission to the FAX machine or onto the tele- mation of the number of the first type; 

phone line. The device further includes a communica- a first input connected to receive the number of the 

tions processor 58 connected between the two modems first type; 

54, 56, and a cryptographic processor 60 connected to 60 a second input connected to receive an input quantity 
the communications processor 58. The communications transmitted over an insecure communications 

processor 58 manages message traffic flow to and from channel from another key generator, the input 

the modems 54, 56 and to and from the cryptographic quantity being digitally signed and containing both 

processor 60, and ensures that the necessary communi- a publicly known identifier of the other key genera- 

cations protocols are complied with. In one preferred 65 tor and a number of the second type generated by 
embodiment of the invention, the communications pro- a practically irreversible transformation of a num- 

cessor is. a microprocessor specified by part number ber of the first type stored in the other key genera- 

MC68000, manufactured by Motorola Corporation. tor; 
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a first output for transmitting the stored, digitally 
signed composite quantity over the insecure com- 
munications channel to the other key generator, 

a second output; 

means for decoding the signed input quantity re- 
ceived at the second input, to obtain the identifier 
of the other key generator and the received number 
of the second type; and 

means for generating a session key at the second 
output, by performing a practically irreversible 
transformation of the number of the second type 
received through the second input, using the num- 
ber of the first type received through the first input. 

2. A secure key generator as defined in claim 1, 
wherein the key generator further comprises: 

a third input, connected to receive another number of 
the first type, generated randomly; 

means for generating at the first output, for transmis- 
sion with the digitally signed composite quantity, a 
number of the second type obtained by a practi- 
cally irreversible transformation of the number of 
the first type received through the third input; and 

means for receiving from the second input another 
number of the second type generated in and trans- 
mitted from the other key generator; 

and wherein the means for generating a session key 
performs a practically irreversible transformation 
involving both numbers of the first type, received 
at the first and third inputs, and both numbers of 
the second type received at the second input, 
whereby a different session key may be generated 
for each message transmission session. 

3. A secure key generator as defined in claim 2, 
wherein: 

the number of the second type stored in digitally 
signed form in the storage means is obtained by the 
transformation Ya=a jra mod p, where Xa is the 
number of the first type stored in the storage 
means, and a and p are publicly known transforma- 
tion parameters; 

the number of the second type received in the digi- 
tally signed composite quantity from the other key 
generator is designated Yb; and 

the means for generating the session key performs the 
transformation 

K=(Y'b)*«mod p © (Yb^mod p, 

where X'a is the number of the first type that is ran- 
domly generated, Y'b is the additional number of the 
second type received from the other key generator, and 
the $ symbol denotes an exclusive OR operation. 

4. A secure key generator as defined in claim 1, 
wherein: 

the number of the second type stored in digitally 
signed form in the storage means is obtained by the 
transformation Ya=a* a mod p, where Xa is the 
number of the first type stored in the storage 
means, and a and p are publicly known transforma- 
tion parameters; 

the number of the second type received in the digi- 
tally signed composite quantity from the other key 
generator is designated Yb; and 

the means for generating the session key performs the 
transformation K=Yb* fl mod p. 

5. A method of generating a secure session key be- 
tween two user devices connected by an insecure com- 



munications channel, comprising the following steps 
performed at both devices: 
transmitting a digitally signed composite quantity to 
the other device, the composite quantity including 
5 a publicly known device identifier IDa and a num- 
ber Ya derived by a practically irreversible trans- 
formation of a secret number Xa that it is unique to 
the device; 

receiving a similarly structured digitally signed com- 
10 posite quantity from the other device; 

transforming the received digitally signed composite 
quantity into an unsigned composite quantity con- 
taining a device identifier IDb of the other device 
and a number Yb that was derived by transforma- 
15 tion from a secret number Xb that is unique to the 
other device; 

verifying the identity of the other device from the 

device identifier IDb; and 
generating a session key by performing a practically 
2° irreversible transformation involving the numbers 
Xa and Yb. 

6. A method as defined in claim 5, and further includ- 
ing the steps of: 

generating another number X'a randomly prior to 
25 generation of a session key; 

transforming the number X'a to a number Y'a using a 

practically irreversible transformation; 
transmitting the number Y'a to the other device; and 
receiving a number Y'b from the other device; 
30 wherein the step of generating a session key includes 
a practically irreversible transformation involving 
the numbers Xa, X'a, Yb and Y'b. 

7. A method as defined in claim 6, wherein: 
the transformations from X numbers to Y numbers is 

35 of the type Y = a x mod p, where a and p are chosen 
to maximize irreversibility of the transformations; 
and 

the step of generating a session key includes the trans- 
formation 

40 

K = (Y'b)* a mod p ©(Yb^mod p, 

where © denotes an exclusive OR operation. 

8. A method of authentication in a public key crypto- 
graphic system, the method comprising the steps of: 

45 selecting a unique random number Xi for each cryp- 
tographic device to be distributed; 
transforming the number Xi to a new number Yi 

using a practically irreversible transformation; 
forming a composite quantity by combining the num- 
50 ber Yi with a publicly known device identifier IDi; 
digitally signing the composite quantity containing Yi 
and IDi; 

storing the signed composite quantity and the number 
Xi permanently in each device; 
55 exchanging, between two devices, a and b, desiring to 
establish secured communication, the signed com- 
posite quantities stored in each; 
authenticating, in each of the two devices, the iden- 
tity of the other device; and 
60 generating, in each of the two devices, a session key 
to be used for secured communication. 

9. A method as defined in claim 8, wherein the step of 
authenticating includes: 

transforming the digitally signed composite quantity 
65 received from the other device into unsigned form; 
and 

comparing the value of IDb in the unsigned quantity 
with the known IDb of the other device. 
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10. A method as defined in claim 9, wherein: the step 
of generating the session key includes performing a 
transformation that involves a value Yb received from 
the other device and the value Xa of this device. 

11. A method as defined in claim 10, wherein: the step 
of digitally signing includes computing a modular 
square root of the composite quantity; 

the step of transforming the digitally signed compos- 
ite quantity to unsigned form includes computing a 
modular square of the signed quantity. 

12. A method as defined in claim 11, wherein: 
the steps of computing a modular square root and 

computing a modular square both employ a modu- 
lus that is the product of two prime numbers. 

13. A method as defined in claim 8, and further com- 
prising the steps of: 

transforming, in each of the two devices, the digitally 
signed composite quantity received from the other 
device into unsigned form; and 

generating, in each of the two devices, a, b, a random 20 
number X'a, X'b; 

transforming the numbers X'a, X'b into numbers Y'a, 
Y'b by a transformation that is practically irreversi- 
ble; and 

exchanging the numbers Y'a, Y!b between the two 25 
devices; 

and wherein the step of generating the session key 
includes performing a practically irreversible trans- 
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formation involving the numbers Xa, X'a, Yb, and 
Y'b in device a, and the numbers Xb, X'b, Ya, and 
Y'a in device b. 

14. A method as defined in claim 13, wherein: 

the transformations from X numbers to Y numbers is 
of the type Y=a*mod p, where a and p are chosen 
to maximize irreversibility of the transformations; 
and 

the step of generating a session key includes the trans- 
formations 
K=(Y'bpmod p © (Yb^mod p, 
for device a, and 

K=(Y*apmod p 0 (Ya^mod p, 

for device b, where © denotes an exclusive OR opera- 
tion. 

15. A method as defined in claim 13, wherein: 

the step of digitally signing includes computing a 
modular square root of the composite quantity; 

the step of transforming the digitally signed compos- 
ite quantity to unsigned form includes computing a 
modular square of the signed quantity. 

16. A method as defined in claim 15, wherein: 

the steps of computing a modular square root and 
computing a modular square both employ a modu- 
lus that is the product of two prime numbers. 



30 



35 



40 



45 



50 



55 



60 



65 



09/09/2003, EAST Version: 1.04.0000 



